SlideShare uma empresa Scribd logo

OAuth 2 Authorization Framework: Grant Types and Tokens

Transferir como PPTX, PDF
C
ChrisWood262

Covering the key concepts of OAuth2 including terms and the flows it defines.

Tecnologia
1 de 20
OAuth 2 Some witty subtitle here if anyone can read this Chris Wood - https://chriswoodcodes.net
Basic overview of things to cover  What is OAuth  Grant Types  Tokens Chris Wood - https://chriswoodcodes.net Chris Wood - https://chriswoodcodes.net
OAuth  OAuth is an authorisation framework, allowing an application to access details about you or perform operations on your behalf  It defines various flows for that application to request access  The application is provided a limited and short lived credential to do what it requested of you  This means that the application doesn’t need to know your credentials  For example can create an account with an application using an account from another application simplifying the signup process. Can also benefit from SSO. Chris Wood - https://chriswoodcodes.net
OAuth Roles  Resource Owner: typically the User.  Resource Server: the API the Client wants to access.  Client: the application requesting access to the Resource Server, on behalf of the Resource Owner.  Authorization Server: authenticates the Resource Owner and issues tokens. May be the same service as the Resource Server. Chris Wood - https://chriswoodcodes.net
OAuth Flow Ref: https://docs.authlib.org/en/latest/oauth/2/intro.html Chris Wood - https://chriswoodcodes.net
Client  In Azure, configured as an App Registration  Defines Redirect URI  Allowed Response Types  Permissions required of a user (i.e. to access their profile photo)  Public or Confidential  Public, usually for SPAs or mobile apps. Where the Client Secret can’t be secured  Confidential, where the Client Secret can be secured  Type of app, web app (server side, spa, mobile app, native)  Demo: App Registration in the Azure Portal Chris Wood - https://chriswoodcodes.net
Grant Type  Also called ‘authorization flows’  It’s how the Client receives the token from the Authorization Server  Either ‘interactive’ or ‘non-interactive’  Examples include:  Implicit  ROPC/Password Grant  Device Code  Client Credential  Refresh Token  Authorisation Code  Authorisation Code + PKCE Chris Wood - https://chriswoodcodes.net
Grant Type – Components  Common components of using the different Grant Types  Client Id: generated by the App Registration  Redirect URI: specified on the App Registration  Scope: What the Client is requesting (appears as permissions for the User to approve)  Response Type: the Grant Type to use  Response Mode  Query: i.e. url?token=ASDFG  Fragment: url#token=ASDFG  Form Post: POST url, Body: ASDFG  State/Nonce: to help validate the request when returned  Endpoints: /authorize and /token Chris Wood - https://chriswoodcodes.net
Grant Type – Implicit  Response Type: token  Interactive  Benefits  Easy to use  Negatives  Legacy  Lacks client authentication  Relies on redirect URL  Demo: <website using Implicit Flow> Ref: http://bernardopacheco.net/how-oauth-and-openid-connect-work Chris Wood - https://chriswoodcodes.net
Grant Type – ROPC/Password Grant  Resource Owner Password Credential  Allows us to get the users credentials and send them to a 3rd party to authenticate  Legacy  Might/might not be interactive  Benefits  Simple  Negatives  Ideally, we should never handle credentials, we don’t want the responsibility  Need to make sure the details aren’t leaked somewhere (i.e. logs)  Most services don’t support this anymore Chris Wood - https://chriswoodcodes.net
Grant Type – Device Code  Interactive  Device displays a code that you enter into a web browser, after logging in  Device is given a code to authenticate going forward Chris Wood - https://chriswoodcodes.net
Grant Type – Client Credential  Not interactive  Used by Service Principals  The application itself requesting access to a resource which it has been authorized  Primarily through credentials such as Client Id and Client Secret  Alternatively certificates can be used Chris Wood - https://chriswoodcodes.net
Grant Type – Auth Code  Short for Authorization Code  Response Type: code  Interactive  /authorize returns a Code  The Code is exchanged for tokens in the backend  /token endpoint  For Confidential apps, specify Client Secret  Code can only be exchanged once for a Token  Token is not accessible by the User Ref: http://bernardopacheco.net/how-oauth-and-openid-connect-work Chris Wood - https://chriswoodcodes.net
Grant Type – Auth Code + PKCE  Same as Auth Code, but more awesome  Short for Proof Key Code Exchange  Code Verifier: Cryptographically-random string  Code Challenge: SHA256 Hash of the Code Verifier  As part of request to /authorize, the Code Challenge is provided  In the backend as part of exchanging the Code for a Token, we also provide the Code Verifier  The Authorization Server will hash the Code Verifier and see that it matches the Code Challenge we sent earlier, this confirms on their side that we are the one that initiated the authorize request  Pros  So even if someone malicious was able to see the Code, they wouldn’t be able to exchange the Code for a Token without knowing the Code Verifier  When using the Client Secret, the Authorization Server can authenticate the Client  Cons  More complex to setup compared to other Grant Types  Demo: <website using Auth Code + PKCE> Chris Wood - https://chriswoodcodes.net
Tokens  These flows by default return Access and Refresh tokens  Access token  Can access an API on the User’s behalf, i.e. access to their profile photo  Usually a JWT but doesn’t have to be  Refresh token  Only used to get newer Access and Id Tokens  Are longer lived  Usually a JWT but doesn’t have to be  To request an Id Token, must specify ‘openid’ in the ‘scope’ of the /authorize request. (OIDC) Chris Wood - https://chriswoodcodes.net
OIDC (OpenID Connect)  Identity layer on top of OAuth  Defines an Id Token, containing information about the User  Is a JWT (JSON Web Tokens)  Contains a standard set of claims  Can be extend with other claims (configured on the App Registration/Client)  The Id Token can be used to verify information about the User, compared to an Access Token which can perform an operation on behalf of the User  If you only need to confirm someone's identity, the Access/Refresh tokens can be ignored  Demo: JWT Chris Wood - https://chriswoodcodes.net
Tokens – Validation  Need to validate the Tokens to make sure it comes from who we were expecting, and not someone pretending to be them  Confirm the authenticity of the token  Signed by the Authorization Server  Not expired  Correct Issuer  Correct Audience  After that, can authorize the user (if they are signing in)  Includes what Role or Groups they are assigned to  Or using an identifier (i.e. UPN) lookup their permissions in the Client Chris Wood - https://chriswoodcodes.net
Last thing, how it looks in the code Chris Wood - https://chriswoodcodes.net
Questions? Chris Wood - https://chriswoodcodes.net
Resources  https://oauth.net/  https://docs.microsoft.com/en-us/azure/active-directory/develop/active- directory-v2-protocols  https://auth0.com/docs/protocols/protocol-oauth2 Chris Wood - https://chriswoodcodes.net

Recomendados

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 

Recomendados

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Jwt Security
Jwt SecurityJwt Security
Jwt SecuritySeid Yassin
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0Manish Kumar Singh
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 

Mais conteúdo relacionado

Mais procurados

Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 

Mais procurados (20)

Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OAuth
OAuthOAuth
OAuth
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 

Semelhante a OAuth 2 Authorization Framework: Grant Types and Tokens

Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authenticationijtsrd
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 

Semelhante a OAuth 2 Authorization Framework: Grant Types and Tokens (20)

Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 

Último

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Último (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

OAuth 2 Authorization Framework: Grant Types and Tokens

  • 1. OAuth 2 Some witty subtitle here if anyone can read this Chris Wood - https://chriswoodcodes.net
  • 2. Basic overview of things to cover  What is OAuth  Grant Types  Tokens Chris Wood - https://chriswoodcodes.net Chris Wood - https://chriswoodcodes.net
  • 3. OAuth  OAuth is an authorisation framework, allowing an application to access details about you or perform operations on your behalf  It defines various flows for that application to request access  The application is provided a limited and short lived credential to do what it requested of you  This means that the application doesn’t need to know your credentials  For example can create an account with an application using an account from another application simplifying the signup process. Can also benefit from SSO. Chris Wood - https://chriswoodcodes.net
  • 4. OAuth Roles  Resource Owner: typically the User.  Resource Server: the API the Client wants to access.  Client: the application requesting access to the Resource Server, on behalf of the Resource Owner.  Authorization Server: authenticates the Resource Owner and issues tokens. May be the same service as the Resource Server. Chris Wood - https://chriswoodcodes.net
  • 6. Client  In Azure, configured as an App Registration  Defines Redirect URI  Allowed Response Types  Permissions required of a user (i.e. to access their profile photo)  Public or Confidential  Public, usually for SPAs or mobile apps. Where the Client Secret can’t be secured  Confidential, where the Client Secret can be secured  Type of app, web app (server side, spa, mobile app, native)  Demo: App Registration in the Azure Portal Chris Wood - https://chriswoodcodes.net
  • 7. Grant Type  Also called ‘authorization flows’  It’s how the Client receives the token from the Authorization Server  Either ‘interactive’ or ‘non-interactive’  Examples include:  Implicit  ROPC/Password Grant  Device Code  Client Credential  Refresh Token  Authorisation Code  Authorisation Code + PKCE Chris Wood - https://chriswoodcodes.net
  • 8. Grant Type – Components  Common components of using the different Grant Types  Client Id: generated by the App Registration  Redirect URI: specified on the App Registration  Scope: What the Client is requesting (appears as permissions for the User to approve)  Response Type: the Grant Type to use  Response Mode  Query: i.e. url?token=ASDFG  Fragment: url#token=ASDFG  Form Post: POST url, Body: ASDFG  State/Nonce: to help validate the request when returned  Endpoints: /authorize and /token Chris Wood - https://chriswoodcodes.net
  • 9. Grant Type – Implicit  Response Type: token  Interactive  Benefits  Easy to use  Negatives  Legacy  Lacks client authentication  Relies on redirect URL  Demo: <website using Implicit Flow> Ref: http://bernardopacheco.net/how-oauth-and-openid-connect-work Chris Wood - https://chriswoodcodes.net
  • 10. Grant Type – ROPC/Password Grant  Resource Owner Password Credential  Allows us to get the users credentials and send them to a 3rd party to authenticate  Legacy  Might/might not be interactive  Benefits  Simple  Negatives  Ideally, we should never handle credentials, we don’t want the responsibility  Need to make sure the details aren’t leaked somewhere (i.e. logs)  Most services don’t support this anymore Chris Wood - https://chriswoodcodes.net
  • 11. Grant Type – Device Code  Interactive  Device displays a code that you enter into a web browser, after logging in  Device is given a code to authenticate going forward Chris Wood - https://chriswoodcodes.net
  • 12. Grant Type – Client Credential  Not interactive  Used by Service Principals  The application itself requesting access to a resource which it has been authorized  Primarily through credentials such as Client Id and Client Secret  Alternatively certificates can be used Chris Wood - https://chriswoodcodes.net
  • 13. Grant Type – Auth Code  Short for Authorization Code  Response Type: code  Interactive  /authorize returns a Code  The Code is exchanged for tokens in the backend  /token endpoint  For Confidential apps, specify Client Secret  Code can only be exchanged once for a Token  Token is not accessible by the User Ref: http://bernardopacheco.net/how-oauth-and-openid-connect-work Chris Wood - https://chriswoodcodes.net
  • 14. Grant Type – Auth Code + PKCE  Same as Auth Code, but more awesome  Short for Proof Key Code Exchange  Code Verifier: Cryptographically-random string  Code Challenge: SHA256 Hash of the Code Verifier  As part of request to /authorize, the Code Challenge is provided  In the backend as part of exchanging the Code for a Token, we also provide the Code Verifier  The Authorization Server will hash the Code Verifier and see that it matches the Code Challenge we sent earlier, this confirms on their side that we are the one that initiated the authorize request  Pros  So even if someone malicious was able to see the Code, they wouldn’t be able to exchange the Code for a Token without knowing the Code Verifier  When using the Client Secret, the Authorization Server can authenticate the Client  Cons  More complex to setup compared to other Grant Types  Demo: <website using Auth Code + PKCE> Chris Wood - https://chriswoodcodes.net
  • 15. Tokens  These flows by default return Access and Refresh tokens  Access token  Can access an API on the User’s behalf, i.e. access to their profile photo  Usually a JWT but doesn’t have to be  Refresh token  Only used to get newer Access and Id Tokens  Are longer lived  Usually a JWT but doesn’t have to be  To request an Id Token, must specify ‘openid’ in the ‘scope’ of the /authorize request. (OIDC) Chris Wood - https://chriswoodcodes.net
  • 16. OIDC (OpenID Connect)  Identity layer on top of OAuth  Defines an Id Token, containing information about the User  Is a JWT (JSON Web Tokens)  Contains a standard set of claims  Can be extend with other claims (configured on the App Registration/Client)  The Id Token can be used to verify information about the User, compared to an Access Token which can perform an operation on behalf of the User  If you only need to confirm someone's identity, the Access/Refresh tokens can be ignored  Demo: JWT Chris Wood - https://chriswoodcodes.net
  • 17. Tokens – Validation  Need to validate the Tokens to make sure it comes from who we were expecting, and not someone pretending to be them  Confirm the authenticity of the token  Signed by the Authorization Server  Not expired  Correct Issuer  Correct Audience  After that, can authorize the user (if they are signing in)  Includes what Role or Groups they are assigned to  Or using an identifier (i.e. UPN) lookup their permissions in the Client Chris Wood - https://chriswoodcodes.net
  • 18. Last thing, how it looks in the code Chris Wood - https://chriswoodcodes.net
  • 19. Questions? Chris Wood - https://chriswoodcodes.net
  • 20. Resources  https://oauth.net/  https://docs.microsoft.com/en-us/azure/active-directory/develop/active- directory-v2-protocols  https://auth0.com/docs/protocols/protocol-oauth2 Chris Wood - https://chriswoodcodes.net